Blocking SQL Server db_datareader, db_datawriter, and db_owner Permissions in SQL Server

You've hit upon one of the reasons many DBAs dislike the use of all inclusive roles like db_datareader, db_datawriter, and db_owner: if you have to make a security change, it because very problematic to do so. The best option, from an architecture perspective, is to redo the security permissions so that they are the minimum necessary for each user. However, because we're often under time constraints to come up with a solution, it's not possible to make major changes. There is something you can do, however. It involves the use of DENY.

More....